Like this article? We recommend

Like this article? We recommend

Final Thoughts

Are firewalls dead? Is there any value in maintaining any sort of perimeter
security? Firewalls are important technology, which explains why they're
added to so many devices. Firewalls aren't going away; in fact, they seem
to be popping up in many unexpected places. What's changing is foolish
total dependence on firewalls; organizations also need server and application
security. What's also changing is the increasing sophistication of firewall
inspection. After all, some server operating systems can be configured to drop
source-routed packets. But how do you apply that targeting consistently across
800 production servers, 400 test servers, and the 100 or so old servers that
some customers never want to give up? What will never change is the need for
proper and careful firewall administration.

Much of the firewall's security rests in the network design that the
organization places around the firewall. Create a lot of paths around the
firewall, and the firewall becomes a worthless network ornament. Even if the
firewall is in the right connectivity vortex, firewall administrators must
configure the firewall to stop low-level attacks. It must be configured to use
the available security features and must have the correct contextual clues
placed on the interfaces. One of the biggest perimeter security failures is
caused by poor firewall architectural design. Failure at that level makes rule
examination worthless.

Future articles in this series will discuss firewall rule evaluation,
discussing qualitative and quantitative measures of risk. We'll consider
different contexts and how to rate them. I'll even lay out my system of
risk evaluation for rules that can allow two organizations to discuss the risk
of their firewall rule sets, without revealing the actual rulesa system
I've been developing for more than a year, coming out of my burrow to
discuss key points with security friends around the world.

I'll discuss firewall evaluations and a system that helps you to
determine which system is best for an organization with certain characteristics.
Of course, we won't have the topic completed until we discuss tools and
procedures that can test your firewall's settings and resilience. This will
help firewall administrators to do their own intrusion study.